Live CD 9.1 remote root access

A configuration error on the Live CD allows for a passwordless, remote root login to the system via ssh, if the computer has booted from the Live CD and if it is connected to a network. Since the CD-ROM is a read-only medium by definition, there is no solution for this error that would be persistent over a reboot from the Live CD. Manually killing all running instances of the secure shell daemon ("killall sshd" as root) after each boot cures the problem, while still exposing the vulnerability in the time window between startup and the killing of the sshd process.

This SUSE Security Announcement targets the Live CD that comes with the
SUSE LINUX 9.1 Personal edition. The Live CD can boot and run on any PC
that has a CD-ROM drive, offering a convenient opportunity for users
who want to try out SUSE Linux without any modification to the system
that is installed on the computer. Similar CD-ROM iso images have been
available for download from our ftp server with each release of the
SUSE LINUX home user product for years.
Upon boot, the Live CD will automatically configure a network card if
one has been detected. It requires user interaction for dialup
network access.

A configuration error on the Live CD allows for a passwordless, remote
root login to the system via ssh, if the computer has booted from the
Live CD and if it is connected to a network. Since the CD-ROM is a
read-only medium by definition, there is no solution for this error
that would be persistent over a reboot from the Live CD. Manually
killing all running instances of the secure shell daemon ("killall
sshd" as root) after each boot cures the problem, while still exposing
the vulnerability in the time window between startup and the killing
of the sshd process.

It is a policy for a fresh install of SUSE LINUX products to enable
the user to log on to the system using secure shell (ssh). During the
installation of the system, the user is prompted for a root password.
The Live CD does not install any system on a medium and therefore does
not ask for a root password. By consequence, passwordless logins
should be denied on the system, regardless of whether the account in
question is the super user account or not. The Live CD 9.1 suffers
from this misconfiguration.
Our permanent fix for the vulnerability is to download the iso image
of the fixed Live CD 9.1 from the URL as listed below and to burn it
on a CD-R using a CD-burner and the software that comes with the SUSE
LINUX 9.1 Personal or Professional (cdrecord, k3b). The new image
still runs a secure shell daemon for remote login, but it does not
allow remote logins on a zero-length password account, and it denies
remote root login attempts, independently from the password.

We thank Patrick Kranefeld and Fabian Franz who have reported the
configuration neglectfulness on the SUSE LINUX 9.1 Live CD to SUSE
Security.

Image authenticity verification:
The file LiveCD-9.1-01.iso has a length of 706349056 bytes. If you run
the command "md5sum LiveCD-9.1-01.iso" after you have downloaded the
file, the md5sum command should print the following md5sum:

9f4ed1bc6b3ee582bf593fde75d5db43

This md5 sum is also contained in the file MD5SUMS in the same
directory as the LiveCD-9.1-01.iso file. Its signature (by[email protected]) is contained in the file MD5SUMS.sig.

- xchat
A buffer overflow in the SOCKS5 code of the XChat program has been
fixed. New packages are available on our ftp servers.

- tcpdump
The tcpdump program contained a remote DoS condition in its ISAKMP
packet handling (CAN-2004-0183 and CAN-2004-0184).
Fixed packages are available on our ftp servers.

- lha
A buffer overflow in the header parsing routines of lha has been fixed.
Additionally lha did not properly handle pathnames within archives
(CAN-2004-0234 and CAN-2004-0235).
Fixed packages are available on our ftp servers.

SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.

1) execute the command
md5sum
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key [email protected]),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.

2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig
to verify the signature of the package, where is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "[email protected]" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .

- SuSE runs two security mailing lists to which any interested party may
subscribe:

[email protected]
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to.

[email protected]
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to.

For general information or the frequently asked questions (faq)
send mail to: or respectively.

=====================================================================
SuSE's security contact is or .
The public key is listed below.
=====================================================================
______________________________________________________________________________

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.